You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Proposing a contribution path for content-layer AI agent threat detection signatures in Cuckoo3.
Context: I maintain Agent Threat Rules (ATR, https://github.com/Agent-Threat-Rule/agent-threat-rules), an MIT-licensed detection-rule corpus for AI agent runtime threats. 348 rules at v2.1.4 covering prompt injection, tool poisoning, context exfiltration, agent loop exploits. In production at Microsoft Agent Governance Toolkit, Cisco AI Defense (314-rule pack), MISP / CIRCL Luxembourg (merged 2026-05-10 by adulau, MISP project lead), and OWASP Agent-Security-Regression-Harness. 2 hours 16 minutes from MSRC Semantic Kernel CVE-2026-26030 disclosure (2026-05-07) to npm-published detection rules (2026-05-11).
Why Cuckoo3: AI-agent attacks increasingly ride traditional malware delivery chains. Prompt injection payloads bundled in PDF / document loaders that target downstream LLM-RAG pipelines, malicious MCP server manifests packaged in installers, agent skill manifests delivered alongside infostealer / cryptojacker combos. Cuckoo3's pattern signature framework (processing/cuckoo/processing/post/eventconsumer/patternsigs.py + signatures.zip) already fires on commandline, file write, registry write, and mutant events from sandbox runs. An AI-agent threat signature pack can fire on those same event kinds when an installer drops a malicious agent skill manifest, executes a malicious mcp add command, or writes to .claude/skills/ paths.
Scope proposal:
New YAML pattern pack under signatures.zip / pattern/windows/ (and pattern/linux/ when relevant) covering AI-agent-specific installer behaviors
15 CVE-anchored signatures to start, drawn from ATR rules tied to public CVE-2026-* identifiers
Fires on existing event kinds (commandline, file write, registry, mutant); no new event types, no Python plugin code, no scanner changes
All triggers Hyperscan-regex-compatible per the existing PatternScanner contract
No network calls, no LLM in the hot path, deterministic regex matching
Optional companion: a small YARA static set for AI-agent skill manifest fingerprints under yara/static/
Three questions before any code:
Is the pattern signature framework open to AI-agent installer behaviors (commandlines that install agent skills / MCP servers / Claude plugins) alongside the existing malware-family pattern packs, or is the framework scope-restricted to traditional malware indicators only?
Cross-CSIRT precedent: CybercentreCanada/Maco recently accepted external PR from lachlan-acsc (ACSC Australia). PR remove deprecated utcnow method #227 from external contributor timurivanov21 was merged here. Are you open to receiving a YAML pattern pack PR from an external maintainer, or would you prefer a different intake shape (e.g. RP template only, or a separate signatures-pack repo)?
EUPL-1.2 + MIT compatibility: ATR rules are MIT. I am happy to dual-license the contributed YAML pack so the Cuckoo3 tree stays EUPL-1.2 clean, or to wrap the pack as an optional add-on. Which arrangement do you prefer?
Honest about limits:
Regex-based; does not catch paraphrase bypasses
ATR rule corpus is predominantly English today; multilingual extension in progress with Japan AISI and CISPA Helmholtz
Signatures only fire when AI-agent threat indicators surface in sandbox-observed behaviors, not a substitute for traditional malware detection
Wave-1 outreach context (transparency): this proposal is part of a 3-target wave this week including CCCS Canada (PR to CCCS-Yara) and Australia ACSC (Issue to azul). Estonia CERT-EE is the third leg.
Hi cert-ee maintainers,
Proposing a contribution path for content-layer AI agent threat detection signatures in Cuckoo3.
Context: I maintain Agent Threat Rules (ATR, https://github.com/Agent-Threat-Rule/agent-threat-rules), an MIT-licensed detection-rule corpus for AI agent runtime threats. 348 rules at v2.1.4 covering prompt injection, tool poisoning, context exfiltration, agent loop exploits. In production at Microsoft Agent Governance Toolkit, Cisco AI Defense (314-rule pack), MISP / CIRCL Luxembourg (merged 2026-05-10 by adulau, MISP project lead), and OWASP Agent-Security-Regression-Harness. 2 hours 16 minutes from MSRC Semantic Kernel CVE-2026-26030 disclosure (2026-05-07) to npm-published detection rules (2026-05-11).
Why Cuckoo3: AI-agent attacks increasingly ride traditional malware delivery chains. Prompt injection payloads bundled in PDF / document loaders that target downstream LLM-RAG pipelines, malicious MCP server manifests packaged in installers, agent skill manifests delivered alongside infostealer / cryptojacker combos. Cuckoo3's pattern signature framework (processing/cuckoo/processing/post/eventconsumer/patternsigs.py + signatures.zip) already fires on commandline, file write, registry write, and mutant events from sandbox runs. An AI-agent threat signature pack can fire on those same event kinds when an installer drops a malicious agent skill manifest, executes a malicious mcp add command, or writes to .claude/skills/ paths.
Scope proposal:
Three questions before any code:
Honest about limits:
Wave-1 outreach context (transparency): this proposal is part of a 3-target wave this week including CCCS Canada (PR to CCCS-Yara) and Australia ACSC (Issue to azul). Estonia CERT-EE is the third leg.
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Maintainer: Adam Lin, adam@agentthreatrule.org
Foundation: Panguard AI Inc. (Delaware C-Corp, filed 2026-05-12)